Security manager's journal: The perils of enterprise search

First and foremost, you have to make sure you don't compromise the rule of least privilege.

I'm a big fan of search. The ability to use the Internet to cull information on virtually any topic with just a few clicks has made me more efficient and better informed. And "information" can come in the form of pictures, documents, videos, news feeds -- whatever you need.

So you might think that when my company's application team told me they wanted to initiate an enterprise search project, I would have jumped on board. Not quite. For security and legal reasons, enterprise search can lead to real problems if not deployed with excruciating care and strict governance.

Trouble Ticket

At issue: The application team wants enterprise search.

Action plan: Assess all the risks that search could expose, and address them one by one.

If security concerns aren't addressed, this is what you can expect: The IT team does some research, makes a choice, deploys the infrastructure and begins pointing it to data repositories. Before you know it, someone conducts a search with a term like "M&A" and turns up a sensitive document naming a company that's being considered for acquisition, or a search for the word "salary" reveals an employee salary list that was saved in an inappropriate directory. In other words, people will be able to find all manner of documents that they shouldn't have access to. It's a flagrant violation of what is probably my most important security philosophy: the rule of least privilege.

The rule of least privilege, which I have discussed here many times before, holds that information should be accessible only by those who have a need to know it. When you apply this rule to enterprise search, it means that searches should turn up only those document names, associated metadata and, most important, content that the searcher is allowed to see.

When it comes to controlling access and exposure to searchable data, you can rely on the techniques referred to as early binding and late binding, or you can adopt a hybrid model. With early binding, users decide who can access a document when they add it to the search index. With late binding, the decision is made when a query is submitted. Early binding is much more complex to set up and maintain but offers better performance. My recommendation, though, is a hybrid approach, which offers the best of both worlds. Of course, you will have to consider the pros and cons and weigh them against your own organization's needs.

The fact that your enterprise search results will be provided via a URL can cause another problem. You need to make sure that such URLs can't be manipulated to provide access to other documents or data. For example, a URL such as might be open to manipulation by simply changing the "210" to another number.

My next concern is about access to the administrative and back-end infrastructure of the search technology, as well as any third-party or bundled data analytics tools and any back-end disk storage. Access to those resources should be limited based on the rule of least privilege. All of that infrastructure must also comply with our configuration management and baseline security configurations.

I also want to make sure that the use of enterprise search is restricted to authenticated domain members. We don't want vendors or guests doing searches for data that they shouldn't see.

Another potential problem is that some search engines use caching to serve up frequently accessed data. I'll need to be sure that any caching technology conforms to our data retention policies and that there aren't any e-discovery issues.

Finally, the search infrastructure will need constant oversight to ensure that no document libraries are added without having accessibility rules assigned to them and that employees don't save documents in existing libraries that allow wider access than the document deserves.

Enterprise search is like much else in the enterprise: very powerful and extremely useful, but risky and in need of constant attention.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinternetsearch engines

More about TopicYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts